? Does the provider maintain a documented method that details the impact of a disruption? o What are the RPO (recovery point objective) and RTO (recovery time objective) for services? Detail according to the criticality of the service.

O o o Are information security activities appropriately addressed in the restoration process? What are the lines of communication to end customers in the event of a disruption? Are the roles and responsibilities of teams clearly identified when dealing with a disruption? ? ? ? Has the provider categorised the priority for recovery, and what would be our relative priority (the end customer) to be restored? Note: this may be a category (HIGH/MED/LOW).

What dependencies relevant to the restoration process exist? Include suppliers and outsource partners.

In the event of the primary site being made unavailable, what is the minimum separation for the location of the secondary site? I NCIDENT MANAGEMENT AND RESPONSE Incident management and response is a part of business continuity management.

The goal of this process is to contain the impact of unexpected and potentially disrupting events to an acceptable level for an organization.

To evaluate the capacity of an organization to minimize the probability of occurrence or reduce the negative impact of an information security incident, the following questions should be asked to a cloud provider: ? Does the provider have a formal process in place for detecting, identifying, analyzing and responding to incidents? ? Is this process rehearsed to check that incident handling processes are effective? Does the provider also ensure, during the rehearsal, that everyone within the cloud provider’s support organisation is aware of the processes and of their roles during incident handling (both during the incident and post analysis)? ? How are the detection capabilities structured? o How can the cloud customer report anomalies and security events to the provider? o What facilities does the provider allow for customer-selected third party RTSM services to intervene in their systems (where appropriate) or to co-ordinate incident response capabilities with the cloud provider? Is there a real time security monitoring (RTSM) service in place? Is the service outsourced? What kind of parameters and services are monitored? Do you provide (upon request) a periodical report on security incidents (EG,.

According to the ITIL definition)? o o 78 Cloud Computing Benefits, risks and recommendations for information security o o For how long are the security logs retained? Are those logs securely stored? Who has access to the logs? Is it possible for the customer to build a HIPS/HIDS in the virtual machine image? Is it possible to integrate the information collected by the intrusion detection and prevention systems of the customer into the RTSM service of the cloud provider or that of a third party? ? ? ? ? ? ? How are severity levels defined? How are escalation procedures defined? When (if ever) is the cloud customer involved? How are incidents documented and evidence collected? Besides authentication, accounting and audit, what other controls are in place to prevent (or minimize the impact of) malicious activities by insiders? Does the provider offer the customer (upon request) a forensic image of the virtual machine? Does the provider collect incident metrics and indicators (ie,.

Number of detected or reported incidents per months, number of incidents caused by the cloud provider’s subcontractors and the total number of such incidents, average time to respond and to resolve, etc)?).

O Which of these does the provider make publicly available (NB not all incident reporting data can be made public since it may compromise customer confidentiality and reveal security critical information)??) How often does the provider test disaster recovery and business continuity plans? Does the provider collect data on the levels of satisfaction with SLAs? Does the provider carry out help desk tests? For example: o Impersonation tests (is the person at the end of the phone requesting a password reset, really who they say they are?) or so called ‘social engineering’ attacks.

Does the provider carry out penetration testing? How often? What are actually tested during the penetration test – for example, do they test the security isolation of each image to ensure it is not possible to ‘break out’ of one image into another and also gain access to the host infrastructure?.

The tests should also check to see if it is possible to gain access, via the virtual image, to the cloud providers management and support systems (EG, example the provisioning and admin access control systems).

Does the provider carry out vulnerability testing? How often? What is the process for rectifying vulnerabilities (hot fixes, re-configuration, uplift to later versions of software, etc)?

Read more about ITIL Definition : according to the ITIL definition o o 78 Cloud Computing….: